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Greg Nelson 
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June 5, 1987 

Edsger Dijkstra has pointed out two errors in "A generalization of Dijkstra's 
calculus" (SRC-16). In the proof on page 42 that A]B is continuous in B, I 
assumed without justification that wp(A,?) was V-continuous (blush). And 
in the proof on page 44 that [x | A} is continuous in ^, I distributed V over 
V (blush, blush). 

In fact these operators are not continuous. However, they are monotonic, 
and the main results of SRC-16 on recursion and tail recursion can be proved 
using monotonicity only, as this note will show. Familiarity with SRC-16 will 
be assumed. 

First the counterexamples showing that composition and projection are 
not continuous. Let A and J3,- (for i > 0) be n-commands defined by 

vl = set n to any natural number 
Bi = n<i n := 0 0 Loop 

Then it is easy to check that 

A; Bi = n := 0 D Loop for all t 
(U t :: Bi) = n := 0 

and therefore that 

A;{Ui :: Bi) 
= A;n:=0 
= n := 0 
^ Loop Q n := 0 
= (Ut :: Loop Q n := 0) 
= {Ui::A;Bi) 

and similarly that 

In I (Ut:: 501 
= [n I n := OJ 
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= Skip 

^ Skip D Loop 

= (U t :: Skip Q Loop) 

= {Ut::|n|5»l) 

Thus |n I B} is not continuous in B, and neither is A ; B if ^4. is unboundedly 
non-deterministic. 

Here is the corrected theorem on continuity and monotonicity: 

Corrected Theorem 7. The fundamental operators and projection enjoy 
the following continuity and monotonicity properties: 

P A continuous in A 

A[\ B continuous in A and B 

A% B continuous in A and B 

A ; B continuous in A\ monotonic in B 

A ; B continuous in B if wp(vl, ?) is V-continuous 

fa: I A\ monotonic in A 

The proofs in SRC-16 establish all the continuity claims. The two mono- 
tonicity claims follow from the following lemma. 

Lemma 4. Let / be a command transformer (that is, a map from com- 
mands to conmiands) and h and hi predicate transformers such that for any 
command A and predicate R: 

w(l)p(/(A), R) = m)[vf{\)p[A,R)) . 

Then / is C-monotonic. 

Proof. Note first that h and hi must be conjunctive, since 

= M/)(w(l)p(5ibp, ?)) 
= w(I)p(/(5fcip), ?) 

and f{Skip) being by assumption a command, its predicate transformers are 
conjunctive. 

Now observe that 

AQB 

= (ViE : w(l)p(A,iE) =J>(^) w(l)p(B,ii:)) 
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=>■ {k and hi are monotonic} 

(Vi2 : /i(/)(w(l)p(A,i2)) =J>(^) /i{/)(w(l)p(5,iE))) 
= (Vi2 : w(l)p(/(>l), R) w(l)p(/(5), iE)) 

= f{A) □ 

Thus / is C-monotonic. | 

The proofs of the monotonicity claims of the corrected theorem follow from 
Lermna 4 and the semajitic equations 

w(l)p(A ■,B,R)= w(l)p(A,w(I)p(5,i2)) 
w{l)p([[x I Aj, R) = (Vx : w(l)p(A,i2)) 

Lemma 4 with w{l)p(A, ?) for h(l) establishes that A;B is monotonic in B, 
and with (Vx : ?) for hil) establishes that [x | A} is monotonic in A. | 

Since the operators on commands are only monotonic, not continuous, 
the appeal in the proof of Theorem 8 to the Limit Theorem must be replaced 
by an appeal to the Generalized Limit Theorem of Hitchcock and Park. 

The generalized theorem asserts that the least fibcpoint of a monotonic 
function / is equal to f", for some ordinal a, where f" is defined by the 
inductive rule 

r = {Up:P<a:f{f^)). 

See "The generalized limit theorem" (CGN46) for more details. This change 
is reflected in an obvious way in the statement of Theorem 8. 

Finally, these changes to the Limit Theorem and to Theorem 8 require 
a change to the proof of Theorem 9 on tail recursion. Starting in the middle 
of page 47, the proof should read as follows: 

To show that vfp{Xo,R) is the strongest fixpoint, observe that since / is 
monotonic, Theorem 8 implies that Xq = f for some ordinal a. Let P 
be any fixpoint of g{l,R); we prove by induction that wp(/°',iE) => P for 
all a. Therefore wp(Xo,^) =>• P, in other words, yip{Xo,R) is the strongest 
fixpoint. The induction is easy: 

wp(/",i2) =»P 
= wp((u/3:/3<a:/(/^)),i2)=»P 
= (V/?:^<a:wp(/(/^), P))^P 
= (V /? : ^ < a : wp(/(/^), R) => P) 
= {P is a fixpoint of g{?,R)} 
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(V^:^<a:wp{/(/^),i2)=»g(P,i2)) 
= {Tail Recursion identity} 

(V/? : /3 < a : j/(wp(/^, R), R) =^ g{P,R)) 
<= {g 18 monotonic} 

(V/?:/3 < a: wp(/^,i2) =4> P) 
= {induction} 

TRUE 

The proof that wIp(Xo,i2) is the weakest fixpoint is so similar that I won't 
write it out. 
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The following theorem is well known: 

Limit Theorem. If f is a. continuous function on a partia.Uy-ordered set in 
which every chain has a join, then f has a Jeast Gxpoint given by 

(Un : n > 0 : /'*(min)) , 

where min denotes the minimum element — which must exist, since it is the 
join of the empty chain. 

Hitchcock and Park [1] have improved this theorem, essentially by weakening 
the constraint on / from "continuous" to "monotonic" and extending the 
range of n from "the integers" to "the ordinals". Since I find that I need 
their generalized limit theorem in my treatment of recursion in Dijkstra's 
calculus, I am recording in this note my version of their proof. 

The reader is assumed to be familiar with the following facts about 
ordinals: 

1. An ordinal is a total well-founded order. 

2. For ordinals a and /3, the ordinal a + /? is a followed by p. 

3. For ordinals a and P, ol< P means a is isomorphic to a prefix of /9. 

4. The relation < on ordinals is itself a total well-founded order. 

5. There exist ordinals of arbitrarily large cardinality. 

As a consequence of 4, induction is valid over the ordinals, (Induction on 
ordinals is traditionally called "transfinite induction" — a phrase that makes 
me think of vampires.) Point 5 is a consequence of (and is equivalent to) the 
Axiom of Choice. 

Let / be a monotonic function on a partially ordered set in which every 
chain has a join. For each ordinal a, we define an element Z** of the partially 
ordered set by the rule 



r = {Ul3:l3<a:f{f^)). 



(1) 
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Note that is defined in terms of for /? < a, so the definition is not 
circular. In particular, 

/° = empty join = min 



(The ordinal u is the first infinite ordinal, namely the order type of the 
natural numbers.) 

Note that we have not attempted to define /"(s) for all a and z, since 
this will not be possible in general. (In particular, if x and f{x) are incom- 
parable.) 

I have modified Hitchcock and Park's theorem slightly: they define 



Their definition gives the wrong value (intuitively speaking) for limit ordi- 
nals, and introduces an unnecessary case analysis. 

Of course we have not yet shown that the join in (1) exists. This will 
be one of a series of little results that lead to the generalized limit theorem. 
The series is essentially the same as in Hitchcock and Park's proof. 

Lemma 1. If /" and are defined and a<p, then C 

Proof. 



nn 

nn u fin = nf) 



r 



/(nu /(nu ... 

/O U /I U /2 U . . . 



/o = min 

r = f{uP'.p <a: fP) for a 7^ 0 




is defined for 0 < a 
=i>- {Lemma 1, totality of < on ordinals} 
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and defined and comparable for < a 
=>• {/ monotonic} 

/(/^) and /(/^') defined and comparable for < a 
{(1), joins of chains exist} 
f is defined | 

Lemma 3. f°'+^ = /(/«) for all a. 

Proof. 

ya+l 

= (Uy9:^<a + l:/(/^)) 

= {uP:p<a:f{fP)) 

= {U distributes over U } 

(U/?:/? < a: /(/«)□ 
= {Lenmia 1, monotonicity of /} 
:/?<«: /(/-)) 

= fin I 

Lemma 4. For any fixpoint z of / and any ordinal a, we have f"' C x. 
Proof. By induction on a. 

{yp:p<a:fPQx) 
=> {monotonicity of /} 

(V^ : < a : /(/^) □ /(x)) 
= {x is a fixpoint of /} 

{^P:0<cc: f[fP) C x) 
=>• {join is the least upper bound} 

[uP:P<a:f{fP))Qx 

= {(1)} 

r^x I 

Lemma 5. If a < /? and f"^ = fP, then the common value of and is 
the least fixpoint of /. 
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Proof. Suppose f = f^. Then 

a < /? 
=> a<a+l<y9 
=>■ {Lemma 1} 

=>■ {Lemma 3} 

/** is a fixpoint of / 

By Lemma 4, /** C 2 for any other fixpoint x, so f is the least fixpoint. 
I 

Generalized Limit Theorem. If f is a monotonic function on a partially 
ordered set in which every chain has a join, then f has a least fixpoint given 
by for some ordinal a. 

Proof. Let '7 be an ordinal whose cardinality exceeds the cardinality of the 
partially ordered set. Then we must have /" = f^ for some a < /? < -7. By 
Lemma 5, is the least fixpoint of /. | 

Reference 

[1] Peter Hitchcock and David Park. Induction Rules and Termination 
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Author's abstract 



This paper gives a self-contained account of a general calculus of program seman- 
tics, from first principles through the semantics of recursion. The calculus is like 
Dijkstra's guarded commands, but without the Law of the Excluded Miracle; like 
extended dynamic logic, but with a different approximation relation; like a relational 
calculus studied by deBakker, but with partial relations as well as total relations; like 
predicative programming, but with a more standard notion of total correctness. The 
treatment of recursion uses the fixpoint method from denotational semantics. 
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Capsule review 

This report describes several technical advances in axiomatic semantics. Sections one 
through seven present a gentle introduction to an extended version of Dijkstra's wp- 
calculus. The primary technical innovations are the introduction of partial commands, 
and the complete characterization of partial commands as predicates, following and 
extending Hehner's work. The final three chapters begin the synthesis of ajciomatic and 
denotational semantics by presenting the first coherent treatment of general recursion 
for an axiomatic semantics. As an example of the power of this characterization, the 
semantics of tail-recursion (and thus the primitive control structures of Dijkstra's 
calculus) are derived. 

Although partial commands are not executable, they are an important part of this 
work. They simplify many of the equations, and reduce the number of primitive oper- 
ations. The principal drawback to adopting partial commands is that Dijkstra's Law 
of the Excluded Miracle must be abandoned, thereby eliminating one of the better 
theorem names from computer science. 
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ERRATA 

Errors on pages 42 and 44 are corrected in the accompanying notes. 



Introduction 

There is a remarkable omission from the guarded command language that 
Edsger Dijkstra introduced in his classic Discipline of Programming: it 
doesn't have procedures. One of the reasons that he left them out was to 
avoid getting tangled in the complexities of recursion, as we can infer from 
this remark in his preface: "the semantics of a repetitive construct can be 
defined in terms of a recurrence relation between predicates, whereas the se- 
mantic definition of a general recursion requires a recurrence relation between 
predicate transformers. This shows quite clearly why I regard general recur- 
sion as an order of magnitude more complicated than just repetition" [2]. 

Dijkstra's remark went against the spirit of the time, which was all for 
treating iteration as a special case of recursion. A sample of the reaction was 
E. C. R. Hehner's paper "do considered od" [10], which criticized Dijkstra's 
repetitive control structure and argued that recursion should be used instead. 
But, although the paper doesn't mention it, Hehner's treatment of recursion 
works only for tail recursions, not for general recursions. The technical 
difficulty mentioned in Dijkstra's remark has remained an obstacle to the 
treatment of general recursion. 

Recent developments suggest a way to get around the difiiculty: Hehner 
and C. A. R. Hoare have approached programs as predicates instead of pred- 
icate transformers, and Dijkstra and others have derived the correspondence 
between the two approaches. I call this the cograph correspondence. This pa- 
per grew out of my effort to handle general recursion in Dijkstra's calculus 
by using the cograph correspondence to reduce predicate transformer recur- 
rences to predicate recurrences. The effort produced the solution described 
in sections 7 and 8. 

The solution uses the method of fixpoint semantics: define an approxi- 
mation relation on guarded commands and prove that the operators of the 
language distribute over joins of chains in this relation. This is the method 
that Dana Scott used to construct models of the lambda-calculus, laying the 
foundations of domain theory and denotational semantics. 

The heart of the solution is the definition of an appropriate approxima- 
tion relation. The definition vindicates two distinctive features of guarded 
conmiands: nondeterminism and total correctness. At first these features 
seem problematical, but in the end they force a definition that is unexpect- 
edly simple and symmetric. 

The definition is in section 8; here is a preview for readers who are 
familiar with Dijkstra's calculus. For commands A and B, let A C S (read 
A approximates B) mean that for any R, 

wp(A, R) => wp(B, R) and wlp(S, R) =^ vflp{A, R) . 
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Under this relation, the set of guarded commands forms a domain in the 
sense of denotational semantics; that is, a continuous partial order. 

As I worked out the details of this solution, I became more and more 
dissatisfied with Dijkstra's well-known Law of the Excluded Miracle. The 
Law states that any command A satisfies wp(A, false) = false; in other 
words, no command can establish the postcondition false. This seems hard 
to argue with, but I found that the Law was never useful, and it complicated 
the cograph correspondence. As we shall see, the technical effect of the Law 
is to exclude partial commands; that is, commands that correspond to partial 
relations between states and outcomes. It is reasonable to prohibit partial 
commands from practical general-purpose programming languages, because 
in general they require backtracking to implement. Also, they are tricky to 
think about, because their semantics hinge on subtle aspects of nondetermin- 
ism. But these are no reasons to prohibit them from the semantic calculus, 
any more than we should prohibit fractions on the grounds that whole num- 
bers are easier to compute with and understand. In fact, partial commands 
provide a useful framework when nondeterminism arises in practice, as in 
the parsing of context-free languages. 

I concluded that the Law of the Excluded Miracle is like bubble sort: it 
is unfortunate that it has a catchy name, because the world would be better 
off to forget it. I have dropped the Law and admitted partial commands, 
obtaining a general version of Dijkstra's calculus that is in many ways simpler 
than his classical version, just as the rational numbers have simpler algebraic 
properties than the integers. 

The general calculus includes all the control structure operators of the 
classical version. But to avoid violating the Law of the Excluded Miracle, 
the classical syntax restricts the use of these operators; for example, 

if aUQ-^ B n 

is allowed, but 

(ADB);(P-^C) 

is not. The general calculus allows the operators to be combined freely. This 
is a step forward, since, as a rule, operators are good and syntax is bad. 
For example, the syntactic freedom simplifies proofs by structural induction. 
A less fundamental difference is that the general calculus includes a new 
operator 0, a non-commutative version of Q, which is needed in the tail 
recursions that define if A fi and do A od. 

The plan for this paper is to give a self-contained account of the gen- 
eral calculus, from first principles through the semantics of recursion. The 
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first half of the paper focuses on the nature of partial commands; the last 
half on recursion. Technicalities are postponed to the second half whenever 
possible. The only prerequisite for reading the paper is the ability to follow 
manipulations involving boolean operators and quantifiers. 

Section 1 is an essay that introduces the various technical approaches 
and semantic models that arise in axiomatic semantics. In sections 2 
through 5, we begin the study of the general calculus by considering the 
semantics of the fundamental operations for sequencing and testing. To 
avoid the confusion that surrounds partial commands, we will approach the 
general calculus via several of the techniques explained in section 1: as a cal- 
culus of relations, as a calculus of operations, and as a calculus of predicate 
transformers, examining the role of partial commands each time. In section 6 
we consider the semantics of assignment and local variables, which leads to 
the cograph correspondence in section 7. In section 8 we consider general 
recursion, and in section 9 the special case of tail recursion and iteration. 

The first half of the paper seeks to develop intuition by approaching the 
calculus in several ways, but in the latter half of the paper the predicate 
transformer approach is taken as basic. People seem to grasp the relational 
approach more readily, but serious work goes faster with predicate trans- 
formers. In practice, the ingredients of program verification are programs 
and predicates; it is therefore desirable to have syntactic rules for manipulat- 
ing them directly, without translating in and out of the language of relations. 
In fact we will take the most extreme form of the predicate transformer ap- 
proach, the cLxiomatic approach. This means that we will rely only on the 
algebraic properties of predicates and not on the definition of a predicate as 
a boolean-valued function on a state space. As a consequence, all of the pa- 
per's results hold in abstract algebras of predicates, such as those introduced 
by Halmos and by Tarski and his colleagues. 

This is not sterile abstraction: the axiomatic approach is simpler than 
approaches that are cluttered with unnecessary assumptions. Its only dis- 
advantage is that its definitions often seem to be pulled out of a hat — the 
definition of the approximation relation is a good example. I will try to 
counteract this by motivating each a:>ciomatic definition in the framework of 
the more concrete relational approach. This lengthens the paper, but the 
emphasis seems well-placed, since finding the definitions is the hard part: 
once they are right, the theorems prove themselves. 

In addition to Dijkstra, Hehner, Hoare, and Scott, I would like to men- 
tion the intellectual debts that this work owes to J. W. deBakker, H. Egli, 
David Harel, and Vaughan Pratt. Egli [6] and deBakker [l] studied an ap- 
proximation relation that is essentially similar to C. However, their systems 
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did not include partial commands. Also, they did not discover the symmetri- 
cal definition of C in terms of wp and wlp, probably because they approached 
semantics via relations instead of via predicate transformers, and the defini- 
tion of □ in terms of relations obscures the underlying symmetry. Harel and 
Pratt [8, 9] defined a version of Dynamic Logic that contains the same col- 
lection of commands as my generalization of the wp-calculus. But they did 
not discover the approximation relation at all; their treatment of recursion 
uses the subset relation instead. As we shall see, this unnecessarily limits 
the recursions that can be handled. 

1 A brief survey of semantic theory 

This section presents a brief taxonomy of programming logics, initially ap- 
proaching them via relations. 

The relational approach is connected to the ordinary operational ap- 
proach by the following rule: Command A relates state s to outcome o if o 
is a possible outcome of activating A from initial state s. Two subtle choices 
are left open in this apparently simple rule. First, the set of outcomes may 
be the same as the set of states, or it may contain an additional element 
to represent the outcome of infinite looping. Second, the relations may be 
restricted to total relations (those in which each state is related to at least 
one outcome), or partial relations may be admitted. If both the looping out- 
come and partial relations are excluded, then there is no way to represent a 
looping computation, so this model is uninteresting. The other three models 
have all been thoroughly explored. 

The earliest model to be explored included partial relations but excluded 
the looping outcome. A command that is certain to loop forever from some 
input state is modelled by relating that state to no outcome. A problem 
with this approach is that it cannot model a command that might loop or 
halt from the same input state. The practical consequence is that the model 
is useless for proving termination, so we will call it the partial correctness 
model. For example. Dynamic Logic (or DL) used this model. 

A natural way to avoid the problem is to use what we will call the 
total correctness model, which includes the looping outcome and excludes 
partial relations. This allows an input state to be related only to the looping 
outcome, only to proper (that is, non-looping) outcomes, or to both the 
looping outcome and to some proper outcomes. Note that partial relations 
are excluded from the total correctness model: in this model each input 
state is related to at least one outcome, on the grounds that something must 
happen when the command is activated in the input state. (For simplicity, 
we will lump run-time errors together with infinite loops.) Dijkstra presented 



Section 1: A brief survey of semantic theory 5 

his calculus of guarded commands without an explicit relational model, but 
(as we shall see) the relational model consistent with his calculus is the total 
correctness model. David Parnas's limited domain relations are a technical 
variation on the total correctness model [18]. 

David Harel and Vaughan Pratt were the first to realize the utility of the 
model that includes both partial relations and the looping outcome, which 
we will call the general model [8, 9]. They showed that within DL, the way to 
reach the general model from the partial correctness model is to add another 
elementary predicate transformer [a]"*" to the previous [a]. In this paper, we 
follow the lead of Harel and Pratt by accepting the general model. We will 
see that the way to reach the general model from Dijkstra's total correctness 
model (which already has two elementary predicate transformers, wp and 
wlp) is to drop the Law of the Excluded Miracle. 

The general model raises the question of the operational interpretation 
of partial commands. That is, if a command A relates an input state s to no 
outcome at all, what does it mean to activate A in input state si This will 
be explained in section 3. 

In our taxonomy, we have so far approached the different semantic mod- 
els via relations. But each of them can also be approached via predicate 
transformers or Hoare logic. Thus there are two dimensions of variation 
among semantic systems: semantic model and technical approach. Let us 
explore the other technical approaches to the partial correctness model. 

Hoare logic is based on primitive assertions of the form {P}A{Q}, where 
P and Q are predicates and A is a command, which means operationally that 
if A is activated in a state where P is true, then Q is true of any state in 
which A might halt. The connection to the relational approach is obvious: 
the assertion means that for all states s and s', if A relates s to s', then P{s) 
implies Q{s'). Thus A as & relation between predicates is determined by A 
as a relation between states, and, as is easily shown, the converse holds as 
well. 

The approach to the partial correctness model via predicate transform- 
ers goes as follows. For command A and predicate Q, define ■wlp{A,Q) to 
be the weakest P such that {P}A{Q}; that is, the weakest precondition 
sufficient to ensure the postcondition Q. Thus the predicate transformer 
wlp(A,?) is determined by A as a relation on predicates, (We will write 
wlp(>l,?) to denote the map P ^-^ wlp(yl, P).) The converse holds as well, 
since {P}A{Q} is equivalent to P =^ vf\p{A,Q). 

Therefore, in developing the partial correctness model, commands can 
be considered either as relations on states, as relations on predicates, or as 
predicate transformers, the choice of approach being one of technique. The 
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same choices are available for the total correctness model and the general 
model, though the looping outcome complicates things somewhat. For ex- 
ample, if predicate transformers are used, the effect of the looping outcome is 
that a command is determined by two predicate transformers (wp and wlp) 
instead of one. The general model requires no new apparatus — the same two 
predicate transformers suffice. It simply differs from the total correctness 
model by having more commands, namely those commands that violate the 
Law of the Excluded Miracle. 

Recently E. C. R. Hehner [11] and C. A. R. Hoare [13] have explored a 
system called predicative programming, which involves both a new approach 
and a new model. We will make use of their approach, but not their model. 
In this approach, a command is considered as a predicate on a state space 
that includes variables representing both the initial and final states of the 
computation. For example, the command x := x + 1 is identified with the 
predicate x = z + 1, where x and x are the initial and final value of x, respec- 
tively. This "commands-as-predicates" approach is still another technical 
variation on the other approaches, since there is a natural correspondence 
between predicates and conjunctive predicate transformers (which are the 
only kind of predicate transformers that matter in this context). A pretty 
proof of the correspondence was presented by the Eindhoven Tuesday After- 
noon Club [4]. We will call this the cograph correspondence, and make use 
of it to reduce predicate transformer recurrences to predicate recurrences. 

In addition to the "commands as predicates" approach, predicative pro- 
gramming involves a new model, which we will call the HH model, after 
Hehner and Hoare. The HH model is based on the principle that if you don't 
care what the outcome of a computation is, then you don't care whether it 
ever terminates. Counter-examples may come to mind (for example, flipping 
a coin), but the principle still suggests a model with at least technical in- 
terest. Let us approach the model via relations, as we did with the other 
models. The HH model discards the looping outcome; replacing it by the 
convention that if a command relates an initial state to every final state, it 
is considered that infinite looping is also a possible outcome; if even a single 
final state is excluded, then infinite looping is forbidden. The HH model 
has aroused some controversy, a sample of which may be found in the recent 
exchange between Parnas and Hehner in the CACM [19]. 

Our taixonomy is summarized in Table 1. The plan for this paper is to 
drop the Law of the Excluded Miracle from Dijkstra's calculus, and thereby 
arrive at the same place that Harel and Pratt arrived at by adding [a]""" to 
Dynamic Logic. In the resulting system, we will solve recurrence relations 
by using an approximation relation that generalizes the one introduced by 
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deBakker and Egli to partial commands. As a technical device, we will 
use the cograph correspondence to pass back and forth between predicate 
transformers and predicates. 



Technical 
Approach 


Semantic Model 




Partial 


Total 


General 


HH 


Relations on 
Predicates 


Original 

Hoare 

Logic 








Relations on 
States 


Early 

Relational 

Models 


Parnas' LDR^; 
Egli/Debakker 


DL+ 




Predicate 
Transformers 


DL 


wp>-calculus 
with LEM^ 


DL+; 

wp-calculus 
w/o LEM 




Predicates 






Cographs 


Predicative 
Programming 



LDR = Limited Domain Relations 

2 

LEM = Law of the Excluded Miracle 

Table 1. Various calculi of programming semantics, cla^ssified in rows by technical 
approach and in columns by the nature of their semantic model. 

The area we have just surveyed is called "axiomatic semantics". Since a 
neighboring research area is called "denotational semantics" , you might think 
that axiomatic semantics is not denotational. Not so: all the approaches and 
all the models are "denotational" in the sense that the meaning of a command 
is a mathematical object and the meaning of an expression is a function of 
the meanings of its operands. A better characterization of the difference 
between the two areas is that historically, axiomatic semantics has addressed 
the problem of change of state, while denotational semantics has addressed 
the problem of higher order functions. Axiomatic semantics has made the 
assignment statement mathematically respectable; denotational semantics 
has made the lambda-calculus mathematically respectable. (The problem 
of the assignment statement has also been attacked under the banner of 
denotational semantics, but the results are rather operational, and separable 
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from the underlying domain theory. At least, so it appears to me.) It 
is unfortunate that the names of these areas represent their relationship 
so poorly, since the resulting confusion delays their synthesis, which would 
be a promising foundation for programming theory. Following Hehner and 
deBakker, and more recently Dijkstra, this work is aimed towards such a 
synthesis. 

2 Commands as relations 

We will begin by approaching the general calculus by way of relations. The 
connection to the operational approach is given by the rule 

Command A relates state 5 to outcome a 
= o is a possible outcome of activating A in initial state 5 

An outcome is either a state, or the "looping outcome" ±, which represents 
infinite looping and run-time errors. Partial relations are allowed. 

In order to give examples of this connection it will be helpful to have a 
few conventional operational definitions. The alternative construct 

if Pi ^ Ai D . . . D Pn ^ An fl 

means: select some P,- that is true and execute A,-. If all the P's are false, 
the outcome is defined to be J.. The repetitive construct 

do Pi Ai D ... D Pn ^ An Od 

means: repeatedly select some P,- that is true and execute A,- , until all the 
P's are false. If the repetition never halts, the outcome is defined to be ±. 

For example, in the lower right of Figure 1 is an illustration of the 
relation associated with the command 

if 2 = 0 ^ Skip D y = 0 -> y := 1 fi , 

in which x and y are boolean variables. (The command Skip is a no-op.) To 
explain the remainder of the figure, we need some more relational definitions. 

We will write ^(A) to denote the guard of A, that is, the domain of the 
relation A considered as a predicate: 

g{A)s = {3o:Aso). 

If g{A) = TRUE, we say that A is total. Otherwise A is partial. 
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xy xy xy 3cy 

00 ► 00 00 ► 00 

01 ► 01 01 ► 01 

10 ► 10 10 10 

11 ► 11 11 11 

Skip z = 0 — » Skip 

xy xy xy xy 

00 ^.^^^^^^ 00 00 -x..,^^^^^^^ 00 

01 ► 01 01 ^^01 

10 -"v...,^^^^^^ 10 10 -v^^^^^^ 10 

11 ► 11 11 ^^11 

y:=l y = 0-^y:=l 

xy xy xy 3cy 

00 -v^ ► 00 00 ► 00 

01 — ► 01 01 — ► 01 

10 -V. 10 10 -V. 10 

11 >^11 11 v^^^^ll 

X = 0 -> Skip 
Dy = 0-^y:=l 

if X = 0 Skip 
D y = 0-»y:=l 
fi 



Figure 1. The anatomy of a guarded command. The command in the lower right 
is composed of the subcommands shown in the rest of the figure. 
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Let A and B denote commands, P a predicate on states, s a state, and 
0 an outcome. Then the relational definitions of the operators appearing in 
Figure 1 are 

Skip so = s = o 

{P -> A)so = Ps A Aso 

{A U B)so = Aso V Bso 

(if A n)so = Aso V (-. S{A)s Ao = ±) 

That is, the no-op Skip relates each state to itself. The outcomes of P -> A 
are the outcomes of A from initial states satisfying P. The outcomes of 
A U B are the outcomes of A and of B. The command if ^ fi is a total 
command formed from A by adding a looping outcome from all states that 
have no other outcome. The illustration in Figure 1 of the anatomy of an 
alternative construct should now be clear. 

In the classical calculus, which admits only total conomands, if-fi is a 
2n-ary operator, and — > and D do not have the status of operators at all. 
Partial commands are technically attractive, since they allow — > and 0 to 
be binary operators, and if-fi to be a unary operator. 

Here are the relational definitions of some other important operators: 

Loop so = o = ± 

Fail so = FALSE 

{A g B)so = Aso V {Bso A ^g{A)s) 

{A ; B)so = {3s' : Ass' A Bs'o) V {Aso A o = J_) 

That is, Loop is the command that relates each state to the looping 
outcome; Fail is the command that relates no state to any outcome; A 0 B is 
similar to A Q 5, but the outcomes of B are included only from those initial 
states from which A has no outcome; and A ; B is the composition of A and 
B together with all looping outcomes of A. Note that Fail is an identity 
for the operators [] and 0 , and Skip is an identity for the operator ; . The 
importance of the unconventional Fail and 0 will become clear later. 

An apology for unconventional nomenclature: There are some circum- 
stances in which it is desirable to extend the space of outcomes still further, 
by distinguishing between the looping outcome and other outcomes that rep- 
resent runtime errors (for example, in the compiler verification by Manasse 
and Nelson [15]). To avoid confusion in those circumstances, we will write 
Loop instead of the conventional Abort. 
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We will call , [], 8, and ; the fundamental operators because all 
the common control structures can be defined in terms of them by using 
recursion. For example, we shall see that do A od is the C-least solution of 

X: X = {A;X)g Skip. 

We won't consider the relational definition of do A od, since it is awkward 
and, in view of the definitions to be presented in subsequent sections, unnec- 
essary. 

In order of decreasing binding power, the operators are ; — >^ D S • 
For example, 

AUP-^B;CED means {A U {P ^ [B ; C))) B D . 

At first it seems that the operator @ is mildly unattractive because it is 
asymmetric, but a little reflection brings the realization that it is extremely 
unattractive because it is not monotonic. That is, adding outcomes to A can 
remove outcomes from A 0 B by masking outcomes oi B, so the operator 
is not monotonic with respect to the subset relation. Since monotonicity is 
essential to the treatment of recursion, this is far worse than zisymmetry. My 
first reaction was to try to do without 0 . But this is hopeless, since, as we 
shall see, do-od isn't C-monotonic either! We can't do without do, so there 
is no alternative but to abandon the subset relation and find a new relation 
with respect to which all the operators are monotonic. As we shall see, the 
approximation relation C does the trick. 

3 Commands as operations 

Partial commands are technically attractive, but their operational interpreta- 
tion is somewhat subtle. What would happen if the command z = 0 Skip 
were executed in a state where x 7^ 0? If nothing happens, what is the differ- 
ence between the given command and Skipl If an error happens, what is the 
difference between the given command and if x = 0 — »■ Skip fi? Something 
else must happen, and the only possibility is to backtrack, as this section 
explains in detail. 

The operational approach is based on the following scenario: given a 
digital machine at rest in some initial state, the activation of a command 
produces a sequence of state transitions, the outcome of which is to halt in 
some state or to loop forever. There are two important points to discuss: 
First, the outcome need not be functionally determined by the initial state — 
that is, the command may be nondeterministic. Second, associated with 
each command is a predicate called its guard, and a command can only be 
activated in states where its guard is true. 
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"But" , you ask, "what would happen if a command somehow got acti- 
vated in a state where its guard is false?" . This is not a particularly useful 
question. Imagine commanding a typist to press the space bar, then release 
it, then release it again. In assigning a meaning to this command, it is no 
help to ask, "but what would happen if the typist somehow did manage to 
release the space bar a second time?" . 

But people will ask the question anyway, since the anthropomorphic 
overtones of operational thinking lead us to imagine the machine "trying" 
to activate a command whose guard is false. So as not to be without an 
answer, let us say that such an attempt fails, whereas if the guard is true 
then activation succeeds. Note that if a command cannot be activated, the 
attempt to do so will fail without changing the state of the computation. If 
any computation is involved in the attempt to activate, it must have no side 
effects. 

"But" , you ask, "what happens if a true guard leads to a computation 
that hzs side effects and then runs into a false guard?" . The answer is that the 
implementation must not let this happen. The explanation of this somewhat 
unsatisfying answer brings us to the other important point, nondeterminism. 

To avoid confusion, it is usually wise to qualify the word "nondetermin- 
ism" with one of the adjectives "blind" or "clairvoyant" . An implementation 
of blind nondeterminism is allowed to choose blindly between the alternative 
execution paths. For example, if a programming language reference man- 
ual declares that arguments to procedures may be evaluated in any order, 
it is warning the progranomer that the implementation reserves the right to 
be blindly nondeterministic. In contrast, an implementation of clairvoyant 
nondeterminism is required to choose an execution that "succeeds" , for some 
notion of success. For example, in automata theory, a successful computation 
is one that accepts its input, and an implementation of a nondeterministic 
automaton is required to find an accepting computation if one exists. 

Applying these general remarks to the case at hand, we require that 
the implementation of our commands be clairvoyant enough to find a com- 
putation that succeeds, but allow it to choose blindly between all successful 
computations. That is, the implementation must make its nondeterministic 
choices in such a way that no command is ever activated in a state where its 
guard is false. For example, imagine a typist commanded to press either the 
space bar or the shift key and then release the space bar, in an initial state 
with all keys up. The typist must be clairvoyant enough to press the space 
bar rather than the shift key, since the space bar can only be released when 
it is down. 

So much for the general framework. Here are the operational definitions 
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of the fundamental operators, together with do-od and if-fi: 

A ; B activate A, then activate B 

A[\B activate either A or 5 

A^B activate A if possible, else activate B 

P — > A activate A from a state where P is true 

do A od activate A until it fails 

if A fi activate A until it succeeds 

There are several consequences of these definitions worth noting. 

First, note that false — >^ A is independent of A\ it is the unique com- 
mand whose guard is false, which cannot be activated in any state. This 
command was introduced earlier as Fail. 

The command do Fail od, which activates Fail until it fails, is therefore 
a no-op. This command was introduced earlier as Skip. 

The command if Fail fi, which activates Fail until it succeeds, evidently 
activates Fail forever, and therefore the outcome of this command is to loop 
forever. This command was introduced earlier as Loop. An equally valid 
operational definition of Loop is do Skip od. 

It is now clear that do-od is not C-monotonic, since Fail C Skip, but 
do Fail od % do Skip od, since Skip % Loop. 

Since a failed attempt to activate a command has no effect on the state, 
the definition "Activate A until it succeeds" for if .4 f i is a little odd. It 
would have been more natural to write "Activate A unless it fails, in which 
case loop". But if there is more than one process executing concurrently, 
these two definitions are not equivalent. Although we will not consider con- 
currency in this paper, the definition of if-fi is phrased to acconmiodate it. 
In a concurrent program, if P — > A fi has the semantics of a "blocking if" 
that waits for P to be true and then executes A. In a sequential program, 
the wait will last forever. This interpretation was proposed by Dijkstra in 
his account of the Owicki-Gries theory [3]. 

If B is partial, then the execution oi A\B will in general require non- 
trivial clairvoyance, since a wrong choice made while executing A may lead 
to an outcome of A that doesn't satisfy the guard of JB. In fact, it is not 
difficult to see that a partial command as the second argument to semicolon 
is essentially the only construction that requires clairvoyance on the part 
of the implementation. Furthermore, do A od and if A fi are always to- 
tal, and A ; P is total if A and B are, and similar rules hold for the other 
operators. Thus the need for clairvoyance can be removed by simple syntac- 
tic restrictions. The restrictions of the classical calculus are sufficient, but 
stricter than necessary. 
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As an example of the power of clairvoyant nondeterminism, we will 
define a command E that parses simple arithmetic expressions, assuming we 
are given a procedure /dthat parses identifiers and procedures Op^ and Op.^ 
that parse the tokens for the operators + and x . By parsing a syntactic 
category we mean reading from the input the longest legal instance of the 
category, or failing if no prefix of the input belongs to the category. E is 
defined recursively: 

E = E;Op^;E 0 E ; Op^ ; E 0 Id. 

Note that the use of 0 instead of D gives x more binding power than + , 
while leaving the associativity of the operators unspecified. This example 
reminds us that at least one tool for translating nondeterministic programs 
into efficient deterministic ones has been an engineering success: the parser 
generator. (It also suggests a simple way of looking at semantic attachments 
to granmiars, in which inherited and synthesized attributes become in and 
out procedure parameters, respectively.) 

4 Preliminaries, mostly about predicates 

This section presents a few definitions that we will need before going into 
our third approach to the system, via predicate transformers. 

Functional definitions. A predicate is a total boolean-valued function defined 
on some Cartesian product space, the elements of which will be called states. 
The symbol = denotes equality between predicates: P = Q means P and Q 
are equal as functions. The symbol => denotes the strength order between 
predicates: P => Q, read "P is as strong as Q" or "Q is as weak as P" or 
"P implies Q" , means that no state is mapped to true by P and to false 

byQ. 

Boolean properties. It follows that =»• is a reflexive partial order with a 
maximum element true and a minimum element false in which any two 
predicates P and Q have a least upper bound P \/ Q and a greatest lower 
bound P A Q, where A and V distribute over one another, and in which 
every predicate P has a complement -i P satisfying P V -< P = true and 
P A -> P = FALSE. These properties can be summarized by saying that the 
predicates form a boolean algebra. 

In order of decreasing binding power, the operators are ~< A V , 
followed by the relations =^ and = . 

The existence of true and false depend on the fact that the state space, 
being a Cartesian product, is not empty (since the empty Cartesian product 
is the singleton containing the empty tuple). This is the only connection 
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between the product structure of the state space and the boolean properties 
of the predicates. The product structure is more important to the cylindrical 
properties, which will be considered next. 

Cylindrical properties. The coordinate functions that project the state space 
onto its Cartesian factors are called variables. A predicate P is independent 
of a variable v (and is called a v-cylinder) if it has the same value at any two 
states that differ in the v coordinate only. For any predicate P there exists 
a predicate {3v : P) which is the strongest v-cylinder that is as weak as P, 
and there exists a predicate (Vu : P) which is the weakest u-cylinder that is 
as strong as P. 

Two variables have the same type if the corresponding Cartesian factors 
are the same set. If u and v are variables of the same type and P is a 
predicate, we define P{u : v) to be the predicate that "says about v whatever 
P says about u"; that is, P{u : v) holds of state s if P holds of s', where s' 
is the state which coincides with s in all coordinates except u, where it has 
the value v{s). Another common notation for P(u : v) is P". For example, 
{u < v){u : w) = [w < v). A pair of the form (u : v) is called a substitution. 
Substitutions are boolean algebra homomorphisms. The simple rules for 
composing substitutions and distributing them over quantifiers will not be 
listed explicitly. 

The cylindrical properties of predicates can be summarized by saying 
that the predicates form a polyadic algebra in the sense of Halmos [7], a 
cylindric algebra in the sense of Henkin, Monk, and Tarski [12], or a predicate 
algebra, according to the axiomatization that I like to use [17]. 

Completeness property. Every set of predicates has a greatest lower bound 
under the =>■ order. This is easy to see: the greatest lower bound maps a 
state to TRUE if and only if every predicate in the set maps it to true. 
Similarly, every set of predicates has a leaist upper bound. 

The axiomatic program. In the axiomatic approach to the semantics of 
guarded commands, the boolean properties of predicates are used for treat- 
ing the semantics of the fundamental operators, the cylindrical properties 
are used for variables and assignment, and completeness is used for iteration 
and recursion. The axiomatic view is that the definition of a predicate as a 
function on a state space should play no formal role. That is, a calculus of 
guarded commands should be definable in any complete predicate algebra, 
regardless of whether it has been constructed from a state space. 

Miscellaneous notations. Except for the parenthesis convention, the following 
notations are due to Dijkstra. 

We will use square brackets to denote the following drastic map on 
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predicates: [true] = true, and [P] = false for all other P. 
We will write 

(operation dummies : range : term) 

to denote the combination via the given operation of the values assumed by 
the given term as the dummies vary over the given range. The operation 
must be commutative, associative, and (if the range is empty) possess an 
identity. If the range is obvious from the context, it will be omitted. For 
example, the greatest lower bound of the set S of predicates is denoted by 
(A P : P e 5 : P), or by (A P :: P) if 5 is obvious from the context. 

A proof oi P = Q will often be written in the form 
P 

= {hint why P = R} 
R 

= {hint why R = Q} 
Q 

A proof of P =>• Q will be written similarly, except that some of the steps 
may use instead of =. In both cases, unnecessary hints will be omitted. 

In order to express formulas involving the two operators wp and wlp 
compactly, the parenthesis convention will be used: a formula containing 
parenthesized expressions represents two formulas, in one of which the paren- 
thesized expressions are ignored, in the other of which each parenthesized 
expression is either inserted, or substituted for the item to its left, whichever 
is suggested by the context. For example, instead of the two formulas 

wlp((U A :: A), i2) = (A A :: ^\^[A,R)) 
wp((U A :: A), R) = {\/ A :: vfp{A,R)) 

we will write the single formula 

w(l)p((U A :: A), R) = (V(A) A :: w(l)p(A,P)) . 

Fixpoint theorems. Next we will consider two classical theorems concerning 
complete partial orders that play a central role in the fixpoint method. 

Let C be a reflexive partial order on some set, and let fl denote meet 
(i.e., greatest lower bound) and U denote join (i.e., least upper bound) with 
respect to C. A chain is a subset that is totally ordered by C. A function / 
on the set is monotonia if x C y implies f[x) C /(y), and chain- continuous 
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if f{{Ux :: x)) = (Ux :: /(x)) whenever x ranges over a non-empty chain and 
both sides are defined. Note that if / is chain-continuous, it is monotonic: 

X C y 

= {Connection between C and U} 
(x U y) = y 

=>■ {Equal arguments map to equal results} 

/{xUy) = /(y) 
= {/ is chain-continuous and {x,y} is a non-empty chain} 

[fix) u /(y)) = /(y) 

= {Connection between U and C} 

E f{y) 

Here are the two classical fixpoint theorems: 

Limit Theorem. If (Ux :: x) exists when x ranges over any chain, and f is 
chain-continuous, then f has a least fixpoint given by 

(Ut : t > 0 : /*(min)) , 

wiere the superscript indicates iterated composition and min denotes the 
minimum element — which must exist, since it is the join of the empty chain. 

Knaster-Tarski Theorem. If f is monotonic and q = (nx : /(x) C x : x) 
exists, then q is the least fixpoint of f, as well as the least solution of the 
equation x : /(x) C x. 

The Limit Theorem is proved in Manna's text [16]; it is originally due to 
Kleene [14]. For proofs of the Knaster-Tarski Theorem, see the original 
reference [20] or Dijkstra's notes [5]. The standard version of the Knaster- 
Tarski Theorem requires that every set of elements has a meet, but we will 
have a use for our stronger formulation, which requires only that a particular 
set of elements has a meet. The proof of the standard version also works 
for our strengthened version. The Limit Theorem could be strengthened 
similarly, but we won't bother to do so since the conventional formulation is 
all we will need. 

5 Commands as predicate transformers 

In this section we interpret the general calculus by means of predicate trans- 
formers, which are simply maps from predicates to predicates. We consider 
only the semantics of the fundamental operators, and therefore rely only on 
the boolean properties of the predicates. 
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In this approach a command A is defined to be a pair of predicate 
transformers, written wp(A, ?) and wlp(A,?), satisfying the pairing condi- 
tion, which is that for any predicate R, 

wp(yl, R) = wp(yl, true) a wlp(A, R) , 

and the conjunctivity condition, which is that wlp(A,?) distributes over any 
conjunction, and wp(^, ?) distributes over any non-empty conjunction. 

We will motivate this definition by connecting it to the relational ap- 
proach. The basic connection is 

the predicate \vp{A,P) holds of state s 
= every outcome of A from 5 is proper and satisfies P 

the predicate wlp(A, P) holds of state 5 
= every proper outcome of A from 5 satisfies P. 

All predicates in this paper are predicates over states, therefore no pred- 
icate (not even true) can be said to hold of .L. Also, the "5" in the two 
equivalences above can be omitted, since preconditions are understood to be 
predicates on states. These two observations allow us to write succinctly 

vf{l)p{A, R) = every (proper) outcome of A satisfies R. 

Here are two noteworthy consequences of the basic connection: 

wp(A, true)(3) = every outcome of A from s is proper. 

wp(A, false) (5) 
= every outcome of A from s satisfies false 
= there is no outcome of A from s. 

Thus wp{A, true) characterizes those states from which error-free termina- 
tion is guaranteed, while wp(yl, false) characterizes those states from which 
activation is impossible. Hence 

^{A) = -iwp(A, false) . 

From this equation we see that Dijkstra's Law of the Excluded Miracle, 
wp(A, false) = FALSE, Can be written ^{A) = true. That is, the effect of 
the Law is to exclude partial commands. 

Here is the motivation for the pairing condition: 
wp(A,P) 

= every outcome of A is proper and satisfies P 
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= every outcome of A is proper and every proper outcome of A satisfies P 
= wp(yl, true) Awlp(A, P) 

And for the conjunctivity condition: 

wlp(A, (A i :: Pi)) 
= every proper outcome of A satisfies every P,- 
= for every t, every proper outcome of A satisfies P, 
= (Ai ::wIp(A,P,)) 

wp(A, (At:: Pi)) 
= every outcome of A is proper and satisfies every P,- 
= {the range of t is not empty} 

for every t, every outcome of A is proper and satisfies P,- 
= (At::wp(A,P.)) 

Thus for any relation between states and outcomes, the corresponding 
pair of predicate transformers satisfies the pairing and conjunctivity condi- 
tions. Conversely, given any such pair wp(A,?) and wlp(yl, ?), the relation 
A connected with them is uniquely determined. To show this, we introduce 
the notation s to denote the co-atomic predicate that is holds of all states 
except the state s. Then 

A relates 5 to the proper outcome t 
= -> (every proper outcome of A from s difi"ers from t) 
= ^w\p{A,i){s) 

A relates s to ± 
= -1 (every outcome of A from 5 is proper) 
= "-wp (A, true) (5) 

Thus the "proper part" of A as a relation is determined by wlp(A,?), and 
the "improper part" by wp(^, true). 

So much for the motivation of the definition. Here are the definitions of 
the commands Fail, Skip, and Loop, and of the fundamental operators: 

w(l)p(Pai7, P) = TRUE 

w{l)p{Skip, R) = R 

Vf(\)p{Loop, R) = FALSE (true) 
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w(l)p(A \]B,R)= w(l)p(A, R) A w(l)p(5, R) 
w(l)p(>l ',B,R)= w(l)p(A, w(\)p{B,R)) 
w(l)p(P ^ A,R) = ^PV w(l)p(yl, R) 
w(l)p(A8S, R) =w(l)p(A,iE) A {g{A) V w(l)p(B,i2)) 

The equation for 0 follows from those for and Q and the formula 

AEB = AU -^g{A) ->B. 

The equations for Fail, Skip, and Loop will be left to the reader. For the other 
three equations, we will first give relational motivations, and then prove that 
the commands they define satisfy the pairing and conjunctivity conditions. 

w(l)p(A D B, R) 
= every (proper) outcome oi A[\B satisfies R 
= every (proper) outcome of A satisfies R 
A every (proper) outcome of B satisfies R 
= w(l)p(A,i2) A w(l)p(B,i2) 

wlp(>l ; B, R) 
= every proper outcome oi A; B satisfies R 

= from every proper outcome of A, every proper outcome of B satisfies R 
= wlp(A, wlp(B,J2)) 

wp(A ; B, R) 
= every outcome of A; B satisfies R 
= every outcome of A is proper and satisfies wp(S,il) 
= wp(A, wp(B,i2)) 

w(l)p(P A, R) 
= every (proper) outcome of P -+ A satisfies R 
= {if -> P holds then there is no outcome oi P A} 

-1 P V every (proper) outcome of A satisfies R 
= ^P V w(l)p(>l,i2) 

The proofs of the pairing and conjunctivity conditions are straightfor- 
ward calculations. One fact that will be used several times is that in any 
boolean algebra, finite disjunction distributes over arbitrary conjunctions. 



Section 5: Commands as predicate transformers 

w(l)p(A;B, (A it; :: R)) 
w(l)p(A, w(l)p(B, (A R :: R))) 
w(l)p(A, (A R ::w(l)p(B,iE))) 
(A R :: w{l)p(A, Ml)p{B,R))) 
(A R :: wa)p(A ;5, 

w(l)p(P ^ A,{AR :: iE)) 

Vw(l)p(A, {ARy.R)) 
-^PV {A R :: vf{\)p{A, R)) 
(A i2 :: -iP V w(l)p(A,i2)) 
(A R :: w(l)p(P ^ A, R)) 

w{l)p{AUB, (A P :: P)) 

wa)p{yl, (A P :: P)) A w(l)p(P, (A P :: P)) 

(A P :: w(l)p{A, P)) A (A P :: w(l)p(J3, P)) 

(A P :: w(l)p(A,P) A w(l)p(B,P)) 

(A P :: w(l)p(ADB, P)) 

wp(A ; B, P) 

wp(A, wp(5,P)) 

vfp{A, wp(B,true) a wlp(5,P)) 

yfp{A, wp(B,true)) a wp(A, wlp(jB,P)) 

wp(^, Wp(B,TRUE)) A wp(A,TRUE) A wlj>{A, wlp(5,P)) 
wp(^, Wp(5,TRUE)) A Wlp(^, wlp(B,P)) 

wp(A ; B, true) A wlp(^ ; B, P) 

wp(A D B, P) 
wp(A,P) A wp(B,P) 

wp(yl,TRUE) A wlp(A,P) A Wp(jB,TRUe) A wlp(B,P) 

wp(A D B, true) a vf\p{A D B, P) 

wp(P A, P) 
-P V wp(A,P) 

-1 P V (wp(A, true) a wlp(>l, P)) 
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= P V wp(A, true)) a P V wlp(A, R)) 
= wp(P A, true) a wlp(P — > A, R) 

From the precondition equations we derive the following guard equa- 
tions, using the identity 5{A) = wp(yl, false): 

Q{Fail) = false 
Q[Loop) = TRUE 
Q{Skip) = TRUE 

^(P A) = P A 9{A) 

9[A[\B) = 9{A)y 9{B) 
9{A%B) = 9{A)y 9{B) 

^(A;P) = -wp(A, -5(P)) 

Note that the last equation implies that ^(A ; P) = 9{A) whenever B is 
total. 

An important consequence of the conjunctivity of wp and wlp is mono- 
tonicity. The proof is very similar to the proof that chain-continuity implies 
monotonicity: 

= {connection between =>• and A} 
P A Q = P 

=>• {equal postconditions have equal preconditions} 

w(l)p(A, P A g) = w(l)p(A, P) 
= {w(l)p is conjunctive} 

w{l)p(A,P) A w(l)p(A,Q) = w(l)p(A,P) 
= {connection between A and =>■} 

w(l)p(A, P) =^ w(l)p(A, Q) I 

6 Variables 

This section describes two new operations, assignment and projection. To 
handle them we will rely on the cylindrical properties of the predicates, as 
well as the boolean properties necessary for the fundamental operations. 

If X and y are variables of the same type, the assignment x := y is a 
command that relates each state 5 to the state s' , where 5' coincides with 5 
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in all coordinates except x, where it has the value y{s). The corresponding 
predicate transformer is substitution: 

w(l)p(z := y, R) = R{x : y) . 

Here is the motivation for the equation: 

w(l)p(s := y, R) 
= every (proper) outcome of x := y satisfies R 
= what R says about x is true of y 
= R[x : y) 

Here is the proof that assignments satisfy the pairing condition: 

wp(x := y, true) A wlp(x := y, R) 
= TRUE A R{x : y) 
= wp(x := y, R) 

The fact that assignment satisfies the conjunctivity condition follows 
from the fact that in any predicate algebra, substitution distributes over 
unbounded conjunctions. To prove this, we need a lemma. 

Lemma 1. For any predicate R and variables x and y, 

R{x : y) = (Vx : X 7^ y V iE) . 

Proof. By the substitutivity of equality, 

^(x : y) =^ x^uy R. 

The left side is independent of x, hence, by the definition of V, the implica- 
tion can be strengthened to 

R{x : y) ^ iyx : x y y R) . 

The proof of the converse is: 

(Vx : X # y V i2) 
^ {substitutivity of equality} 

(Vx : X ^ y V i2(x : y)) 
= {iE(x : y) is independent of x} 

(Vx : X # y) V R{x : y) 
= {reflexivity of equality} 

R{x : y) I 
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Here is the proof that substitution distributes over arbitrary conjunc- 
tions: 

(A R ::R){x:y) 
= {Lemma 1} 

(Vx : z 7^ y V (A iE :: R)) 
= {predicate calculus} 

(A i2 :: (Vx : X 7^ y V R)) 
= {Lemma 1} 

(A R :: R{x : y)) 

So much for assignment. Next we consider the use of local variables, 
which requires laying some groundwork. 

To indicate that R is independent of all variables except x, we will say 
iZ is an x-predicate. Similarly, an xy-predicate is one independent of all 
variables except x and y. 

Note that the number of variables on which a predicate depends will vary 
with the choice of coordinates on the state space. If 12 is an xy-predicate, it 
is not "two dimensional" in any fundamental way: had the two components 
X and y been treated as a single component z (with subcomponents z.x and 
z.y), then R would be a z-predicate. We will therefore feel free to take all 
the variables on which a predicate depends and lump them together into a 
single variable, whenever this is convenient. 

A command is called independent of a variable if it neither tests nor sets 
the variable. In the next section we will make this definition precise, but it 
will do for now. If A is independent of all variables except x, it is called an 
x-command. An xy-command or xyz-command is defined similarly. 

The operation for delimiting the scopes of variables is projection: if A 
is an xy-command, then by | x | A 1 we denote the y-command resulting by 
dropping the x components from all state-outcome pairs of A. (The looping 
outcome projects to itself.) Operationally, [ x | A ] means "extend the state 
space with a new component named x with arbitrary initial value, then 
execute A, then retract the new component". The precondition equation is 

w(l)p(Ix \AIR) = (Vx : Ml)p{A,R)) . 

Note that if i2 is a y-predicate, then as far as R's value is concerned, we can 
specify a state by the value of the variable y. We will use this notational 
liberty in the following motivation of the precondition equation: 
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w(l)p([xMl,ii:)(y) 
= every (proper) outcome of | x | A | from initial state y satisfies R 
= for every initial value of x, every (proper) outcome of A from initial 

state {x, y) satisfies R 
= (Vx: wil)p{A,R){y)) 

= {y-substitution commutes with x-quantification} 
(Vx: Ml)p{A,R)){y) 

The fact that projection satisfies the conjunctivity condition follows from 
the fact that universal quantification commutes with unbounded conjunction. 
Here is the proof that projection satisfies the pairing condition: 

wp([x I A], iE) 
= (Vx:wp(vl,iE)) 
= (Vx : wp(A,TRUE) A wlp(A, i2)) 
= (Vx : wp(A,TRUE)) A (Vx : vflp{A,R)) 
= wp(|x I A], true) a wlp([[x \Al,R) 

In the expression |x | A|, the variable x is a dummy. In case the 
postcondition is dependent on x, the dummy must be renamed to avoid 
capture before the precondition equation can be used. For example: 

wp(If \t:=x;x:=y;y:=tj,x<t) 
= wp(| u I u := X ; X := y ; y := u I, X < i) 
= (Vu : wp(u :— x ; x := y; y := u, X < t)) 
= (Vu : (x < t){y : u)(x : y)(u : x)) 
= (Vu:y<i) 
= y < i 

A common construction in programs has the form 

if (3x : P) then let x satisfy P \ ... end . 

The repetition of x and P are awkward. One longs to write something like 

if X such that P then . . . end, 

where the scope of x includes the ... as well as the P. Dijkstra calls such 
constructions "initializing guards" ; they are easily constructed out of partial 
commands and the projection operator. Note first that 



26 Section 6: Variables 

9{ix\Aj) 
= ^(wp(|x I Al, false)) 
= -1 (Vx : wp(A, false)) 
= -(Vx:--5(A)) 
= {3x:g{A)) 
Thus if A is total, then the guard of 

is (3z : P), and consequently it can be activated in the same states as 
(3x : P) A , 

but in the first case the scope of x includes A. Thus we have constructed an 
initializing guard. 

As a more concrete example, here is a command that decomposes the 
list o and rebuilds it in reverse order in 6, where lists are represented as 
nil-terminated nests of ordered pairs in the usual way: 

6 := nil ; do |[ u,v \ a = {u,v) b := {u,b) ; a := v ] od 

The guard on the loop tests if a is an ordered pair and, if it is, introduces 
u and t> as names for its components. (It would show more respect for 
the virtue of infix operators to simply write x | A instead of [x | A|, and 
dropping the brackets is especially tempting in the case of initializing guards. 
But it is conventional in programming to delimit name scopes with explicit 
brackets.) 

Finally, a few words about undefined terms. An assignment operation 
X := E, where E is an expression, is considered to be syntactic sugar for 

if I u I u = E X := u 1 f i , 

where u is a fresh variable. Note that this command loops in states where E 
is undefined, since in such states (3u : u = E) is false. We will abbreviate 

this formula to def{E) . 

In predicate algebras the substitution {x : E), where is an expression, 

is defined by the equation 

P{x : E) = {3u : u = E A P(x : u)) , 
where u is a fresh variable. With this definition we have in general that 
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wp(x := E, R) = R{x : E) 

wlp{x := E,R)=^ def{E) V R{x : E) 

Note that these are not definitions, but theorems that follow from the seman- 
tics of substitution, projection, and if-fi. In proofs by structural induction, 
expressions can generally be ignored. 

(A note about the introduction of function symbols into abstract predi- 
cate algebras: a function / is defined by giving the meaning of the equation 
"u = /(ui, . . . UnY as a predicate. For any values of the u's, there must be 
at most one value of u satisfying the predicate. For example, division can be 
defined by 

u = v/w = w^OAu*w = v. 

Therefore, if E is not a variable, a predicate expression of the form u — E 
can be reduced to an expression in which the outer function symbol has been 
eliminated.) 

A final note: by means of the projection operator, predicate transform- 
ers can be introduced that are not V-continuous. That is, wp(|x | Aj, ?) 
may not distribute over infinite joins of chains of predicates, even though 
wp(A, ?) does. This discontinuity occurs for commands that are unboundedly 
nondeterministic, in the sense that they relate some input state to infinitely 
many outcomes. For example, let z and y have the same type, and consider 
[x I y := x|, which assigns y an arbitrary value. For a y-predicate P, 

wp(lx|y:=xl, P) 
= (Vx : P(y : x)) 
= [P] 

(Recall Dijkstra's [ ] operator from section 4.) The [ ] operator is obvi- 
ously V- discontinuous, since the join of a chain of predicates may be true, 
although none of them is true. But unbounded nondeterminism will not 
trouble us: although wp(|x | Aj, iZ) may be a discontinuous function of R, 
we will show that [ x | A | is a continuous function of A, which justifies the 
use of projection in recursive definitions. 

7 Commands as predicates 

Our next goal is the cograph correspondence. As mentioned in the introduc- 
tion, the correspondence came out of the predicative programming approach 
taken by Hehner and Hoare. In this approach, a command is a predicate on 
a state space that includes variables representing both the initial and final 
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states of the computation. More precisely, if A is an x-command, and x' is a 
variable of the same type as x, then the correspondence between this point 
of view and the operational view is given by 

A as a. predicate holds of (x, x') 
= 2' is a possible proper outcome of A as a command activated from initial 
state X. 

For example, the command x := x+1 corresponds to the predicate x' = x+1. 
Looping outcomes are simply ignored in the usual expositions of this point of 
view. Our strategy will be to ignore the looping outcomes temporarily, and 
then recover them by relying on the pairing condition. Instead of (x, x'), the 
initial and final values are usually named (x,x), but we will stick to (x, x'), 
since this simplifies the description of the connection between predicative 
programming and predicate transformers. This connection is captured ex- 
actly by the following theorem. 

Theorem 1. If A is an x-command, then for any predicate P, 
wlp(A, P) = (Vx' : vf\p{A, x^x')y P{x : x')) • 

The English translation of the theorem is 

A's proper outcomes all satisfy P 
= for each state x', either A never produces x', or x' satisfies P. 

Hence the x-predicate transformer wlp(A, ?) is completely determined by the 
xx'-predicate wlp(A, x ^ x'). For example, wlp(x := i + 1, ?) is determined 
by wlp(x := X + 1, X 7^ x'), which is x' 7^ x + 1. 

The predicate wlp(>l, x ^ x') is simply the complement of the predicate 
that represents A in the predicative programming point of view. Theorem 1 
is essentially the work of the Eindhoven Tuesday Afternoon Club [4]; I have 
modified their theorem to deal with wlp instead of wp, and modified their 
proof to be axiomatic. To prepare the way for the axiomatic proof, we need 
one definition and two lemmas. 

A command A is independent of a variable x if 

(t) for any predicate R, yv{\)p{A,R) is independent of x 

(») for any x-predicate R, w\p{A,R) = wlp(A, false) V R. 

Condition (») implies that A doesn't test x, and condition («) implies 
that A doesn't set x. We will motivate these claims by arguing in terms of 
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relations on the state space of (x, y) pairs. First we argue that condition (t) 
implies that for any values xi, X2, and yi and any outcome o, 

M^i^yi)o = ^(2:2,2/1)0, 

i.e., the outcome is indifferent to the initial value of x. The proper and 
improper cases are treated separately: 

A{xi,yi)A. 
= ^wp(A,TRUE)(xi,yi) 

= {(«•)} 

-■Wp(A,TRUE)(x2,yi) 

= A(i2,yi)± 

A(xi,yi)o 
= {assume o proper} 
-.wp(>l,o)(xi,yi) 

= {(»•)} 

--wp(A,o)(x2,yi) 
= A{x2,yi)o 

Next we argue that condition (tV) implies that for any xi, X2, yi, and y2, 

i4(xi,yi)(x2,y2) =^ xi = X2 , 
i.e., in no outcome is x changed: 

A{xx,yx){x-i,y2) 
= ^wlp(yl, {x2,y2)){xi,yi) 
= -.wlp(A, X 7^ X2 V y y2)(a:i,yi) 
=>• {wlp is monotonic, -1 is anti-montonic} 

^wlp(A,x # X2)(xi,yi) 
=>■ {(«»), X X2 is an x-predicate} 

Xi = X2 

So much for the motivation. A command and predicate are said to be 
independent if there is no variable on which both are dependent. Note that 
in this case, clause (»V) of the definition above applies to them. 
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Lemma 2. If commajid A and predicate C are independent, then 

wlp(A, P V C) = wlp(A, P) V C . 

Proof. Since wlp is not disjunctive, it is not obvious how to get the proof 
started. There is a roundabout attack that succeeds in this case, as in many 
similar ones. Compute first that 

TRUE 

= wlp(A, false) V C V -. C 
= {A and C are independent} 

wlp(.4, C) V vflp{A, ^ C) 
=> {wlp is monotonic} 

wlp(yl, C) V yf\p{A, Py -^C) 

and then that 

wlp(A, P V C) 
= wlp(yl, P V C) A (wlp(A,C) V wlp(A, P V C) 
= { A over V ; conjunctivity of wlp} 

wlp(A,C) V wlp(A,P) 
= {A and C are independent} 

wlp(A, false) V C V wlp{i4, P) 
= {monotonicity of wlp} 

CVwlp(>l,P) I 

Lemma 3. If predicate P is independent of x', then 

P = (Vx' :x' ^xW P{x: x')) . 

Proof. This is a trivial consequence of Lemma 1: 

(Vx' : x' ^ X V P(x : x')) 
= {Lemma 1 with R := P(x : x')} 

P(x:x')(x':x) 
= {P is independent of x'} 

P I 
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Finally we are ready for the proof of Theorem 1, which is now very 
simple: 

wlp(A,P) 
= {Lemma 3} 

wlp(A, (Vx' :x^x'y P{x: x'))) 
= {conjunctivity of wlp} 

(Vx' : wlp(A, x^x'V P{x: x'))) 
= {Lemma 2} 

(Vx' : wlp(A, X ^ x') V P(x : x')) | 

Given Theorem 1, the construction of the cograph correspondence is routine: 
Definitions. For an x-command A, define 

H{A) = wp(A, true) 
G{A) = wlp(A, X # x') 
cog{A) = {H{A),G{A)) 

Note that G{A) holds of (x, x') if x' is not a possible outcome of A from x, 
and H{A) holds of x if ± is not a possible outcome of A from x, so that 
cog(A) (read "cograph of A") represents the complement of the graph of A 
as a relation. 

Inversely, if H is an x-predicate and G is an xx'-predicate, define the com- 
mand com(ir, G) by the rules 

wlp(com(fl',G), R) = (Vx' : G V R{x : x')) 
wp(com(fl',G), R)=H A wlp(com(ir, G), R) 

Obviously com{H, G) satisfies the pairing constraint. The fact that it also 
satisfies the wlp conjunctivity constraint follows from the fact that substitu- 
tion, finite disjunction, and universal quantification all distribute over arbi- 
trary conjunctions. For the wp conjunctivity constraint, one uses in addition 
the fact that finite conjunction distributes over arbitrary non-empty conjunc- 
tions. 

Theorem 2. The operators cog and com are inverses. 
Proof. 

H{com{H, G)) 
= {definition of H} 
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wp(com(if, G), true) 
= {definition of com} 
H 

G{com{H, G)) 
= {definition of G} 

wlp(com(f/', G), I # x') 
= {definition of com, use x" instead of x' to avoid capture} 

(Vx" : G(x' : x") V (x 7^ x'){x : x")) 
= (Vx" : G(x' : x") V x" # x') 
= {Lemma 3} 

G 

Hence cog(com(ff, G)) = {H,G). To show com(cog(A)) is A, we will show 
they have the same wlp's for arbitrary postconditions, and the same wp's for 

TRUE. 

wp(com(cog(A)), true) 
= {definition of cog} 

wp(com(fr(A), G(A)), true) 
= {definition of com} 

H{A) 
= {definition of H} 

wp(A,true) 

wlp(com(cog(>l)), R) 
= {definition of cog} 

w\p{com{H{A),G{A)), R) 
= {definition of com and of G} 

(Vx' : wlp(A, X ^ x') V R{x : x')) 
= {Theorem 1} 

wlp(A,i2) I 

As a further illustration of the cograph correspondence, Table 2 lists the 
conmaands whose cographs contain only the simple predicates true, false, 
and X ^ x'. Our old friends Fail, Skip, and Loop are present, and also a 
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new command Havoc, which was not mentioned before because it is not very 
useful. It relates each initial state to every proper outcome. Its precondition 
equation is 

M\)p{Havoc,P) = [P]. 

In the HH model that is usually associated with the programs-as-predicates 
approach, Havoc can be described (it corresponds to the xz'-predicate true), 
but Loop cannot. Because of this, Hehner [11] bestows upon Havoc by fiat 
properties that Loop enjoys naturally. For example, he defines semicolon so 
that Havoc ; x := 0 = Havoc. With the ordinary semicolon, we would have 
Havoc ; X := 0 = X := 0 (assuming we are talking about x-commands), while 
of course Loop;x := 0 = Loop. One consequence of this is that the semicolon 
becomes non-associative. This can be fixed by adding a distinguished vari- 
able to represent termination; but then the HH model reduces to the general 
model, with the distinguished variable playing a role similar to ±. 



A 


H{A) 


G{A) 


Fail 


TRUE 


TRUE 


Loop 


FALSE 


TRUE 


Havoc 


TRUE 


FALSE 


Loop 0 Havoc 


FALSE 


FALSE 


Skip 


TRUE 


x,*^ x' 


Skip [] Loop 


FALSE 


x^ x' 



Table 2. Some commands with simple cographs. 
8 Recursion 

Finally we come to the problem with which this research started: to apply 
the cograph correspondence and the fixpoint method to general recursion 
in the calculus of guarded commands. To handle recursion we will rely on 
the completeness of the predicate algebra, in addition to the boolean and 
cylindrical properties we have relied on up till now. 

Here is an operational description of the fixpoint method. Let B be 
some command, and for each n let A„ be the command "execute B for at 
most n steps, abandoning any longer computations and classifying them as 
loops" . It should be clear that in some sense, each An is an approximation 
to B, and that the approximation improves as n increzises. The key to the 
fixpoint method is to define this notion of approximation without reference 
to computation sequences. 
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This is straightforward enough. We consider a relational definition first, 
then switch to predicate transformers. In the relational model, we will say 
that A approximates B if A can be obtained from B by replacing some of 
B's proper outcomes with the looping outcome. This condition is equivalent 
to the following two constraints, in which 5 and t range over states and a 
ranges over outcomes: 

(t) (V5,i : Ast =>■ Bst) 
(u) (V5,o : Bso => {Aso V As±)) 

Condition (x) says that every proper outcome of the approximation A is a 
proper outcome of the limit B. Condition {it) says that every outcome of 
the limit is either an outcome of the approximation, or is represented in the 
approximation by the looping outcome. 

Translating into the language of predicate transformers, we have from 
(t) (again using the notation 5 for the co-atomic predicate that holds for all 
states except s) 

(V5,f : Ast =^ Bst) 
= (Vs,t : ^wlp(A,t)(5) =^ ^wlp(B,f)(5)) 
= (Vi2 : R co-atomic : w\p{B,R) ^ vflp{A, R)) 

= {every predicate is a conjunction of co-atoms, conjunctivity of wlp} 
(ViE : R a predicate : wlp(B, R) ^ wlp (A, R)) 

and from (u) 

(V5,o : Bso =^ {Aso V As±)) 
= (Vs : As± (Vo : Bso =4> Aso)) 
= (Vs : ^ As± =J> BsA. A (Vf : Bst =^ Ast))) 

= Wp(A,TRUE) =>■ 

wp(S,TRUE) A {\/R : R a predicate : vflp{A,R) ^ vflp{B,R)) 
= {\/R : R a predicate : wp(A, R) =^ wp(jB, R)) 
Thus we have derived the pleasantly symmetrical definition 

ASLB = A Cwp B N B Cwip A , 



where 



A Cwp 5 = (Vi2 : wp(A, R) vfp{B,R)) 
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and 

A Cwip B = {'^R: wlp(^,E) =^ wlp(5,iE)) . 

The partial order □ is the required approximation relation. Note that both 
Ewp and Qvfip are transitive and reflexive. These properties are preserved 
under inversion and intersection; hence which is the intersection of C^p 
with the inverse of Cwlp> is also reflexive and transitive. Furthermore, if 
A C. B and B C. A, then A and B have the same wp's and wlp's for every 
predicate; therefore they are the same command. Hence □ is a reflexive 
partial order. 

The next step in the method of fixpoint semantics is to consider the joins 
of chains in the approximation order. The axiomatic program requires that 
we base our proof of the existence of joins upon the completeness of the set of 
predicates. The two requirements are most easily met by using the cograph 
correspondence. We therefore investigate the approximation relation C in 
this representation. 

Definition. For cographs {H,G) and {H',G'), we define {H,G) C {H',G') 
to mean 

{H =^ H') A {G' ^ G) A {H AG ^ G') . 
Theorem 3. For cographs [H,G) and {H',G'), 

{{H,G) C {H\G')) = {com{H,G) □ com{H',G')) . 

Proof. Assume first that {H,G) C {H',G'). Then, first, for any R 

wp(com{fl",G), R) 
= wp(com(fZ', G), true) A wlp(com(fZ", G), R) 
^ H A (Vx' :Gy R{x: x')) 
=> {H =^ H', H AG ^ G'} 

H' A (Vx' : G' V R{x : x')) 
= wp(com(iZ'',G'), R) 
and, second, for any R 

wlp(com(H',G'), R) 
= (Vx' : G' V R{x : x')) 
^ {G' G} 
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[W -.Gy R{x: x')) 
= wlp(com(fZ',G), R) 

and therefore com(jBr, G) C com(jH'', G'). 

To prove the converse, let A and B be commands such that A B. 
Then first, 

H{A) 
= wp(A, true) 
=^ {A Ewp B} 

Wp(B,TRUE) 

= H{B) 
and second, 

G{B) 
= wlp(B, X ^ x') 

{B Ewip A} 

wlp(A, X ^ x') 
^ G{A) 

and third, 

H{A) A G{A) 
= wp(A, true) a wlp(A, X 7^ x') 
= {pairing condition} 

wp(A, X ^ x') 
^ {A Ewp B} 

wp(JB, X ^ x') 
=>• {pairing condition} 

wlp(5, X 7^ x') 
^ G(B) 

and therefore {H{A), G{A)) C {H{B), G{B)). | 

From the formula in Theorem 3, we can easily derive and verify a formula 
for the join of a chain. 
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Theorem 4. Any chain has a join, which is given in the cograph represen- 
tation by the formula 

(U H, G :: {H, G)) = ((V H, G H), (A G :: G)) . 

Proof. To show that the given cograph is an upper bound, let {H, G) be any 
cograph in the chain, and check first that 

H ^ [y H,G H) , 
and second that 

{^ H,G -.-.G) ^ G , 

and third (observing that H A G ^ G' follows both from {H, G) C {H', G') 
and from {H\ G') C {H, G)) that 

H AG =^ [A H', G' :: G') 
= (A H',G' ::HAG^G') 

= {{H,G) and {H' ,G') are in the chain; observation above} 

TRUE 

and therefore the given cograph is an upper bound for the chain. Now let 
{H\ G') be some other upper bound, so that for any {H, G) in the chain, 

(0 H^H' 
[ii] G' =^G 
{Hi) H AG^G' 

We must prove that 

((V H,G::H),{A H,G :: 

which we do by observing first that 

(V H,G :: H) H' 
= {AH,G::H^ H') 

^ {(«■)} 

TRUE 

and second that 



38 Section 8: Recursion 



G' =>{aH,G :: G) 
= {A H,G ::G' ^G) 

^ my 

TRUE 

and third that 

(V H, G::H) A (A H, G :: G) ^ G' 
{y H,G::H AG)^G' 
= {A H,G :: H AG ^ G') 

^ {(«")} 

TRUE 

which completes the proof. | 

Note that if a command has no looping outcome, then it is a maximal 
element under the approximation order: the only command it approximates 
is itself. Thus there are many maximal elements, and therefore no maximum 
element. Thus the empty set does not have a meet. But, as it turns out, 
any nonempty set does have a meet. This result will allow us to apply our 
version of the Knaster-Tarski Theorem when we need it in the proof of the 
final theorem on recursion. 

A note on notation: since we are using = for the equality relation on 
predicates, we use = as the equality operation. That is, P = Q means 
V g) A (P V -g). 

Theorem 5. Let {Hi,Gi) be a non-empty indexed set of cographs, where i 
ranges over an anonymous index set. Define H' and G' by 

H'={Ai,j::HiA{Gi = G,)) 
G' = (V i :: Gi) 

Then [H' , G') is the greatest lower bound for the set [Hi, Gi) in the C order. 
Proof. Here is the proof that {H',G') is a lower bound: 

{H',G') Q {Hi,Gi) 
= {H' => Hi) A {Gi => G') A [H' AG' ^ Gi) 
= {H' =>{Ai:: Hi) Hi} 

{Gi ^ G') A {H' AG' ^ Gi) 
= {Gi =^ (V i :: Gi) = G'} 
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H' AG'^ Gi 
4= {weaken H'} 

(A i,j : Gi = Gj) A (V »• : G.) ^ Gi 
= {the G's are equal and one is true any is true} 

TRUE 

To show that {H',G') is the greatest lower bound, let {H,G) be another 
lower bound; thus for each i, 

(0 H =^ Hi 
(») Gi G 
(m) H AG =>Gi 

To show that {H,G) C {H',G'), check first that 
H=^ H' 

= H=^{Ai,j::HiA{Gi^G,)) 
= (A i,j ::H^ Hi A {Gi - Gy)) 

^ {(0} 

(A i,j ::H=> {Gi = Gy)) 

= (A i,y :: A G.- =^ Gy) 

^ {(")} 

{At,j ::H A G ^ Gj) 

^ {(m)} 

TRUE 
and second that 

G' ^G 
= (V i :: G.) G 

^ {(«)} 

TRUE 

and finally that 

H AG^G' 
= H AG^{vi:: Gi) 
<= {y i::H AG ^ Gi) 
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^ {{Hi)} 

(V t :: true) 

= {i ranges over a non-empty set} 

TRUE 

which completes the proof. | 

Next we consider the distribution properties of wp and wlp over joins of 
chains. 

Theorem 6. Let A range over any chain of commands, then for any predi- 
cate R, 

w(l)p((U A :: A), R) = (V(A) A :: w(l)p(^, ii!)) . 

Proof. In the following, {H, G) ranges over the chain of cographs correspond- 
ing to the chain of commands that A ranges over. Here is the proof of the 
formula for wlp: 

wlp((U A :: A), R) 
= wlp((U H,G :: com(F,G)), R) 
= {Theorem 4} 

wlp(com((v H, G ::H), (A H, G :: G)), R) 
= {def. of com} 

(Vx' : (A H,G :: G) V R{x : x')) 
= (Vx' : (A G :: G V R{x : x'))) 
= {AH,G :: (Vx' : G V i2(x : x'))) 
= {def. of com} 

(A H,G :: wlp(com(fZ', G), R)) 
= {A A :: wlp{A, R)) 

The two directions for the formula for wp are proved separately: 

wp((U A :: A), R) 
= wp((U H,G :: com{H,G)), R) 
= {Theorem 4} 

wp(com((V H,G :: H),{A H,G :: G)), R) 
= {pairing condition, def. of com} 

(V H, G::H) A (Vx' : {A H,G :: G) V R{x : x')) 
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= H,G::H A (Vx' : {A H,G :: G) V R{x : x'))) 
=4> {V H,G::H A (Vx' : G W R{x : x'))) 
= {V H,G •.:wp{com{H,G), R)) 
= {y A::wp{A,R)) 

The proof of the other direction is 

(V A :: wp{A,R)) => wp((U A :: A), i2) 
= {A A:: wp{A,R) =^ wp((U A :: A), i?)) 
= {A C (U A :: A)} 

TRUE 

This completes the proof. | 

Theorem 7. The fundamental operators, assignment, and projection are all 
chain-continuous in their command arguments. 

Proof. In order to express the proof compactly, the parenthesis convention 
will be used repeatedly. So will the principle that two commands are equal 
if they have the same w(l)p's for any postcondition. 

Here is the proof that D is chain-continuous in its first (hence also in its 
second) argument: 

w(l)p((U A:: A)DB, R) 
= w(l)p((U A :: A), R) A w{\)p{B,R) 
= (V{A) A :: w(l)p(A,ii:)) A w(l)p(S,i2) 
= (V(A) A ::w(l)p(A,i2) A w(l)p(5,i2)) 
= (V(A) A ::M\)p{AUB,R)) 
= w(l)p((u A ::AUB), R) 

The proof that —y is chain-continuous in its second argument is very similar: 

w(l)p(P ^ (U A :: A), R) 
= -iP V w(l)p((U A :: A), R) 
= V (V(A) A :: w(l)p(A, R)) 
= (V(A) A :: -P V w(l)p(A,i2)) 
= (V(A) A :: w(l)p(P -> A,R)) 
= w(l)p((U A :: P ^ A), R) 

Here is the proof that the operator ; is chain-continuous in its first argument: 
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w(l)p((U A :: A) ;B, R) 
= wa)p((U A :: A), MI)t>{B,R)) 
= (V(A) A ::w(l)p(A,w(l)p(B,ii!))) 
= (V(A) A :: w(l)p(A;fi, R)) 
= w(l)p((U A ■.:A;B), R) 

And in its second argument: 

w(l)p(A ; (U B :: B), R) 
= w(l)p(A, w(l)p((U B :: B), R)) 
= w(l)p(A, (V(A) B :: w(l)p(B,E))) 
= {explanation below} 

(V(A) B :: w{l)p(A, Ml)j>{B , R))) 
= (V{A) B ::M\)p{A;B, R)) 
= w(l)p((U B ::A;B), R) 

Explanation of the step above: the wlp case is a simple consequence of wlp's 
conjunctivity. The wp case is less obvious, since wp is not disjunctive in 
general. But it is easy to show that if Bl B2, then wp distributes over 
the disjunction Bl V B2. Since the 5's range over a chain, any two values 
of wp(B, R) will be comparable by =>. Therefore the step is also valid in the 
wp case. 

Before considering 0, observe that 

g{{UA::A)) 
= -iwp((U A :: A), false) 
= -i(V A :: wp(yl, false)) 
= -(V A::-^(A)) 
= {AA::g{A)) 

For the first argument to 0, we consider the wp and wlp cases separately. 
The wlp case is easy: 

wlp((U A :: A)EB, R) 
= wlp((U A :: A), R) A (^((U A :: A)) V w\p{B,R)) 
= {A A :: vf\p{A, R)) A (A A :: ^(A) Vwlp(5,i2)) 
= {A A:: wlp(A, J?) A {g{A) V wlp(B,iE))) 
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= (A A::wlp(ASB, R)) 
= wlp((u A y.A^B), R) 

The wp case is harder: 

wp((U^::A)BB, R) 
= wp((U A :: A), ^i) A (^((U A :: yl)) V wp(5,iE)) 
= (V A :: wp(^i2)) A ((A A :: ^(A)) V wp(5,iE)) 
= (V A :: wp(^, R) A ((A A :: g{A)) V wp(5, iE))) 
= {explanation below} 

(V A :: wp(A, iE) A (^(^) V wp(B, ^!))) 
= {V A :: wp(yigB, iE)) 
= wp((U A:: ABS), iZ) 

Explanation of the step above: To show that (A A :: ^(A)) may be replaced 
by in the context in which it appears in the step above, we just need 

to show that for any A' such that A Q A' ot A' O A, 

yfp{A,R)Ag{A)^g{A'). 
This follows from two observations. First, that 

A'QA=>{giA)=>g{A')), 
since 

9iA) = -iwp(A, false) =^ -iwp(A',FALSE) = g{A') . 
Second, that 

AQA'^ {g{A) A wp(A,TRUE) =}> g{A')) , 
since 

g{A) A wp{A, true) 
= -iwp(A, false) A wp(A, true) 
= {pairing condition} 

-1 (wp(A, true) a wlp(A, false)) a wp(yl, true) 
= {boolean algebra} 

-iwIp(A, false) a Wp(yl,TRUE) 
=^ {AH A'} 
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-'Wlp(A',FALSE) A wp(A',TRUE) 
= {pairing condition again; boolean algebra again} 

->wp(A', false) 
^ 9 {A') 

The second argument to 0 is easier: 

w(l)p(AS{UB:: B), R) 
= w(l)p(A,i2) A {g{A) V w(l)p((u B :: B), R)) 
= M\)p{A,R) A {g{A) V (V(A) B :: w(l)p(B, i2))) 
= w(l)p(A,ij:) A (V(A) B :: {g{A) V w{\)p{B,R))) 
= (V(A)B :: w(l)p(A,i2) A (^(yl) V w(l)p(5,i2))) 
= (V(A) B :: w(l)p(AgB, i?)) 
= w(I)p((UB:: ABB), i?) 

The projection operator is easy: 

w(l)p(Ix|(UA :: A)1,E) 
= (Vx : w(l)p((uA :: A), R)) 
= (Vx : (V(A) A :: w(l)p(A, i2))) 
= (V(A) A :: (Vx : w(l)p(A,ii:))) 
= (V{A) A ::w(l)p(Ix | A], R)) 
= w(l)p((uA :: [x I A]), R) 

The assignment operator is continuous in all its command arguments, 
because it doesn't have any. 

This completes the proof of the theorem. | 

All of the pieces are now in place for the proof of the final theorem 
concerning the existence of fixpoints. 

Theorem 8. Let f be a map from commands to commands defined by an 
expression of the form f{X) = S, where £ is an expression built from the 
fundamental operators, assignment, projection, the command parameter X, 
and any number of fixed commands and predicates. Then f has a least 
hxpoint under the C relation, equal to (Ut : t > 0 : P{Loop)), and to 
(nX: /(X) C X:X). 

Proof. Theorem 7 shows that the operators are continuous, therefore / is 
continuous. Theorem 4 shows that any chain hcis a join in the approximation 
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order. Thus the conditions of the Limit Theorem are satisfied. The formula 
from the Limit Theorem justifies the first formula in the theorem, since, as 
is easily seen, the command Loop is C-minimal. Thus / has a fixpoint, so 
the meet in the theorem's second formula is non-empty, and therefore exists 
by Theorem 5, and equals /'s least fixpoint by the Knaster-Tarski Theorem. 
I 

Note that the theorem equates the fixpoint both to an infinite meet and 
to an infinite join. Each equation has its uses, although in this paper we will 
use only the join equation. 

No new difficulties are created by mutual recursion. For example, a 
mutually recursive definition of two commands A and B will have the form 

{A,B) = {f{A,B),9{A,B)), 

where / and g are chain-continuous. This can be treated as a fixpoint equa- 
tion over the universe of command pairs, for which a suitable approximation 
relation is defined by 

{A,B)Q{A',B') = AC A' A B Q B' . 

The details are left to the interested reader. 

Once mutual recursion is available, we can add do-od to the list of 
operators in the theorem, since iteration can be eliminated in favor of tail- 
recursion. The details of this elimination are the subject of the next section. 

9 Iteration and tail-recursion 

In this section, we will see that if do-od and if-fi are defined recursively, 
their semantics agree with Dijkstra's direct definitions. To show this, we will 
prove a general formula for the preconditions of a tail recursion. 

We begin by comparing the two definitions of do-od. Since unrolling a 
loop doesn't change its meaning, the equation 

do A od = A ; do A od 0 Skip 

is valid. Thus do A od is a solution of the equation 

X = A;X ^ Skip. (1) 

Appealing to Theorem 8, we define do A od as the C-least solution of the 
equation. Since the right-hand side is a chain-continuous function of X, the 
least solution exists. 
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Without Theorem 8, Hehner [10] proceeded as follows. For any X sat- 
isfying (1), and any postcondition R, we have 

w(l)p(X,i2) = w(l)p(A,w(l)p(X,i2)) A {g{A) V R) (2) 

by applying the precondition equations for the right-hand side. Thus 
w(l)p(do A od, R) is a solution for P of the predicate equation 

P = w(l)p(A,P) A {g{A) V R) . (3) 

Hehner defined wp(do A od, R) as the strongest solution of the equation, 
and wlp(do A od, R) as the weakest solution of the equation. He also proved 
that this definition agreed with Dijkstra's original definition in Discipline of 
Programming, and Dijkstra has subsequently adopted Hehner 's definition [5]. 

Note that Hehner's definition uses predicate recurrences; predicate 
transformer recurrences are not needed. His technique works because of 
the special form of (1): when the precondition of the right hand side of the 
equation with respect to R is taken, the only occurrences of X are in expres- 
sions of the form w(l)p(X,i2). This allows the step from (2) to (3), where 
these occurrences are replaced by P. In other words, the technique works 
for the recursion X = f{X) provided that w(l)p(/(X), R) can be written as 
a function of w(l)p(X, P). We call such recursions tail recursions, and prove 
in the following theorem that Hehner's technique works for all of them, and 
therefore in particular for do-od. 

Theorem 9. Let f be a chain- continuous totality-preserving function from 
commands to commands such that for some conjunctive predicate transform- 
ers g and gl, the following identity holds for all predicates R and all total 
commands X: 

w(l)p(/(X), R) = gil){w{l)p{X,R), R) . (4) 
Let Xo he the C-ieast hxpoint of f. Then for any predicate R, 

w(l)p(Xo,i2) = the strongest (weakest) Rxpoint of g{l){l,R) . 
To apply the theorem to the semantics of do A od, let 



/(X) = A ; X g Skip 
g{l){P,R)=w(\)p{A,P) A {g{A) V R) 
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Then the conditions of the theorem are satisfied. (Note that the assumption 
that X is total is required to guarantee the equivalence of ^(^4 ; X) and 
The theorem implies that 

w(l)p(do A od, R) = the strongest (weakest) fixpoint o{gU){l,R), 
which is exactly Hehner's formula for do-od. 

The condition of Theorem 9 can be summarized by saying that / is 
a chain-continuous total tail recursion. We will call (4) the tail recursion 
identity. 

Proof of Theorem 9. To show that w(l)p(Xo,iE) is a fixpoint of g{l){'?,R), 
observe that 

g{l){Ml)p{Xo,R), R) 
= {tail recursion identity} 

w(l)p(/(Xo), R) 
= {Xq is a fixpoint of /} 

w(l)p(Xo,iE) 

To show that w(l)p(Xo,i2) is the strongest (weakest) fixpoint, observe first 
that since / is chain-continuous, Theorem 8 yields 

Xo = (U n :: /"(Loop)) , 
and therefore, by Theorem 6, 

w(l)p(Xo,i2) = (V(A) n :: w(l)p(/'» (Loop), R)) . 
Let P be any fixpoint of g{?,R), then 

wp(Xo,ii:) =^ P 
= (V n :: wp(/" (Loop), R)) =J> P 
= (An:: wp(/'' (Loop), R) ^ P) 
= {induction below} 

TRUE 

The induction is easy: if n = 0, wp(/" (Loop), R) is false, which is as strong 
as P. Also, 

wp(/" (Loop), R)^ P 
{g is monotonic} 
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g{vfVir{Loop), R), R) g{P,R) 
= {tail recursion} 

yfp{r+'{Loop),R)^g{P,R) 
= {P is a fixpoint of g} 

vfp{r+^{Loop), R)^P 

The proof of the other half of the theorem is essentially the same, but 
the parenthesis convention is not powerful enough to allow the two halves to 
be folded together. Let P be any fixpoint of gl{l,R). Then 

P=j>wlp(Xo,i2) 
= P^{An:: w\p{r{Loop), R)) 
= {An::P=> wlp{/'* (loop), R)) 
= {induction below} 

TRUE 

The induction is easy: if n = 0, wlp(/"(ioop), R) is true, which is as weak 
as P. Also, 

P=J>wlp(/'* (loop), R) 
=^ {gl IS monotonic} 

gl{P,R) gl{w\p{r{Loop), R), R) 
= {tail recursion} 

gl{P,R) ^yf\p{r+HLoop), R) 
= {P is a fixpoint of gl} 

p wlp(/"+HLoop), R) 

This completes the proof of the theorem. | 

Tail recursion can be used to define if-fi as well as do-od. Let if A fi 
be the C-least solution of 

X: X = AEX. 

This equation can be justified by unrolling the operational definition "acti- 
vate A until it succeeds". Then Theorem 9 applies, and simple arguments 
yield the precondition equations for if-fi: 

wp(if A fi, R) = g{A) A wp(A,P) 
wlp(if A fi, R) =wlp(A,P) 
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10 Concluding remarks 

It is not difficult to show that the Limit Theorem remains true if the con- 
straint on / is weakened from "continuous" to "monotonic" , and the range 
of i in the expression (Ui :: /'(min)) is changed from "the integers" to "the 
ordinals". Thus if any useful operations on commands turn up that are 
monotonic but discontinuous, they can still be included in recursive defini- 
tions, since Theorem 8 can be modified to rely on the more general form of 
the Limit Theorem. 

A partially ordered set is directed if it contains an upper bound for 
every pair of its elements. A directed set is a generalization of a chain, and 
Theorems 4 and 6 are true for directed sets as well as chains. 

The commands of the general calculus form a denotational semantic do- 
main, that is, a continuous partial order. At least, this is true modulo some 
technicalities, which will now be explained. Let A <^ B mean that for any 
chain, if B approximates the join of the chain, then A approximates some 
element of the chain. (For simplicity we continue to use chains instead of 
directed sets.) The formula A <C B is read "A is way below 5" ; its opera- 
tional meaning is that A is one of the approximations that can be obtained 
by executing B for a finite number of steps and classifying any uncompleted 
computations as loops. (This interpretation may be misleading if B is un- 
boundedly nondeterministic, but operational interpretations of unbounded 
nondeterminism are bound to be paradoxical.) The interpretation suggests 
that a command should equal the join of those commands that are way below 
it; if this is in fact true for all commands, the partial order C from which <C 
is constructed is said to be continuous. 

A standard example of a discontinuous partial order is the implication 
order in a complete atomless predicate algebra. In such a predicate al- 
gebra, the approximation relation C constructed from =^ will not be con- 
tinuous, either. But I have proved that if is continuous (as it is in most 
predicate algebras of practical importance, including the algebra of boolean 
functions on a state space), then so is C. In summary: if the underlying 
predicate algebra is continuous, the commands of the general calculus form 
a denotational semantic domain. 

My final conclusion is that Dijkstra was right: general recursion is more 
complicated than simple iteration. 
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partial commands 
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predicate transformer approach 4, 5, 14, 17, 19 
predicative programming 6 
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